On 08/10/2017 11:19 AM, Christian Ehrhardt wrote: > Testing qemu-2.10-rc2 shows issues like: > qemu-system-x86_64: -drive file=/var/lib/uvtool/libvirt/images/kvmguest- \ > artful-normal.qcow,format=qcow2,if=none,id=drive-virtio-disk0: > Failed to lock byte 100 > > It seems the following qemu commit changed the needs for the backing > image rules: > > (qemu) commit 244a5668106297378391b768e7288eb157616f64 > Author: Fam Zheng <famz@xxxxxxxxxx> > file-posix: Add image locking to perm operations > > The block appears as: > apparmor="DENIED" operation="file_lock" [...] > name="/var/lib/uvtool/libvirt/images/kvmguest-artful-normal.qcow" > [...] comm="qemu-system-x86" requested_mask="k" denied_mask="k" > > With that qemu change in place the rules generated for the image > and backing files need the allowance to also lock (k) the files. > > Disks are added via add_file_path and with this fix rules now get > that permission, but no other rules are changed, example: > - "/var/lib/uvtool/libvirt/images/kvmguest-artful-normal-a2.qcow" rw, > + "/var/lib/uvtool/libvirt/images/kvmguest-artful-normal-a2.qcow" rwk > > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> > --- > src/security/virt-aa-helper.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > ACKed and pushed. Michal -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
